Hi, I recently stumbled upon a funny bug^Wfeature in the Xorg server that could allow attackers with physical access to a machine to bypass the screensaver/screen locker program. Most people use those programs to lock their computer when they are away. On Gnome, gnome-screensaver is responsible for this. On KDE, kscreenlocker is. There is a wide variety of smaller tools doing the same thing, e.g. slock, slimlock, i3lock...

All these tools work more or less the same way: they create a new fullscreen X window, raise it on top of the window stack and grab all mouse and keyboard events. They can optionally disable tty switching. This can seem secure at first glance but all those programs rely on the X server to have exclusive access to the input events and keep the window on top. Unfortunately Xorg does not always cooperate.

I will try to describe what i understand from the bug but keep in mind I'm no X11 expert.A few years ago, a special keybinding was introduced to "kill" windows who grabbed mouse/keyboard, (mostly for testing/debug purposes ?). This functionality was disabled by default, well documented in the man page and an API was written for programs to disallow this behavior:

Option "AllowClosedownGrabs" "boolean" This option enables the use of the Ctrl+Alt+Keypad-Multiply key sequence to kill clients with an active keyboard or mouse grab as well as killing any application that may have locked the server, normally using the XGrabServer(3x) Xlib function. Default: off. Note that the options AllowDeactivateGrabs and AllowClosedownGrabs will allow users to remove the grab used by screen saver/locker programs. An API was written to such cases. If you enable this option, make sure your screen saver/locker is updated.

This API allowing to disable the keybinding per application was removed in 2008 with the XFree86-Misc extension (commit here and here). Later, the whole AllowClosedownGrabs code was removed (commit) and all reference to it was expunged from the man page (commit). I never knew about those key bindings and I doubt they were widely used anyway.

The functionality seems to have been reintroduced in 2011 (commit here and mailing list message here), but this time it's enabled by default, not clearly documented and not even configurable easily (or maybe i haven't found the right way to do it ?). All distros shipping xorg 1.11 are vulnerable to this ....